Now try visiting that from the browser of another computer on the same network like so:

http://192.168.1.71:3000

No way dude, this thing is hush hush, and under NDA! This is an old unpatched version of Rails! All the security and access controls aren’t setup yet! Rack::Bug, Rails Footnotes, and New Relic are exposed to the whole place!

While this behavior may be acceptable and even desirable at times (internal testing team behind a company firewall?), it is a bad default.

Running rails server by default starts up a web server on port 3000 of 0.0.0.0. This means all interfaces will accept a connection.

Luckily, there is a way to start the rails server to only listen to requests that come directly from your computer:

rails server —binding=127.0.0.1

All the benefits and none of the drawbacks, the only problem is there really isn’t a good way to make this the default (you know, so you’ll actually remember to do it every time).

My preferred solution is to add a line like this to my ~/.profile:

alias rails-server='rails server —binding=127.0.0.1'

and just use that all the time.

Actually, to make it sticky for me, I’ve aliased it to something ridiculously short, since I use it so often:

alias rs='rails server —binding=127.0.0.1'
alias rc='rails console'

However, there are ways to make it always do this on a per-project basis through such hackery as demonstrated in this StackOverflow post.

But I believe it is a brittle approach to reach into Rails internals like this, and it may cause unexpected consequences in production.

This is definitely not the end-all-solution for everything, but every little bit helps. Other things worth considering to secure your development machine: